Intro to Cryptocurrencies & Review of Relevant Crypto Tyler Moore, CS 7403, University of Tulsa Slides adapted from Arvind Narayanan, Joseph Bonneau, Edward.

Slides:



Advertisements
Similar presentations
Secure Multiparty Computations on Bitcoin
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures and Hash Functions. Digital Signatures.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Chapter 7-1 Signature Schemes.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Computer Science Public Key Management Lecture 5.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···
8. Data Integrity Techniques
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Cryptography Lecture 9 Stefan Dziembowski
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
David Luebke 1 10/25/2015 CS 332: Algorithms Skip Lists Hash Tables.
1 Bitcoin A Digital Currency. Functions of Money.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 2: Message integrity.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
CS6045: Advanced Algorithms Data Structures. Hashing Tables Motivation: symbol tables –A compiler uses a symbol table to relate symbols to associated.
Lecture 5 Page 1 CS 236 Online Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E,P) P = D(K D,C) Often, works the.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Section #9: Bitcoins. Digital currency Unique string of bits Use cryptography for security and privacy Not tied to names: hard to trace Finite set of.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
How Bitcoin Achieves Decentralization
How to Store and Use Bitcoins Tyler Moore, CS 7403, University of Tulsa Slides adapted from Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller,
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Mechanics of Bitcoin Part II
Public Key Encryption Systems
Mechanics of Bitcoin Part I
Cryptographic Hash Pointers
Bitcoin and the Blockchain
Topic 14: Random Oracle Model, Hashing Applications
CS898AT – Bitcoins and Cryptocurrencies
Keys Campbell R. Harvey Duke University, NBER and
Campbell R. Harvey Duke University and NBER
Nakamoto Consensus Marco Canini
Security through Encryption
Campbell R. Harvey Duke University and NBER
Blockchains slides have been taken from:
Digital Signatures.
CS 394B Introduction Marco Canini.
Consensus Algorithms.
TELE3119: Trusted Networks Week 5
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Security: Integrity, Authentication, Non-repudiation
Public Key Encryption Systems
Chapter 8 roadmap 8.1 What is network security?
Cryptography Lecture 26.
Presentation transcript:

Intro to Cryptocurrencies & Review of Relevant Crypto Tyler Moore, CS 7403, University of Tulsa Slides adapted from Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Princeton University 1

Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 2

Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 3

Hash function: takes any string as input fixed-size output (we’ll use 256 bits) efficiently computable Security properties: collision-free hiding puzzle-friendly 4

Hash property 1: Collision-free Nobody can find x and y such that x != y and H(x)=H(y) x y H(x) = H(y) 5

Collisions do exist... possible inputs possible outputs … but can anyone find them? 6

How to find a collision try randomly chosen inputs 99.8% chance that two of them will collide This works no matter what H is … … but it takes too long to matter 7

Is there a faster way to find collisions? For some possible H’s, yes. For others, we don’t know of one. No H has been proven collision-free. 8

Application: Hash as message digest If we know H(x) = H(y), it’s safe to assume that x = y. To recognize a file that we saw before, just remember its hash. Useful because the hash is small. 9

Hash property 2: Hiding We want something like this: Given H(x), it is infeasible to find x. H(“heads”) H(“tails”) easy to find x! 10

Hash property 2: Hiding Hiding property: If r is chosen from a probability distribution that has high min-entropy, then given H(r | x), it is infeasible to find x. High min-entropy means that the distribution is “very spread out”, so that no particular value is chosen with more than negligible probability. 11

Application: Commitment Want to “seal a value in an envelope”, and “open the envelope” later. Commit to a value, reveal it later. 12

Commitment API (com, key) := commit(msg) match := verify(com, key, msg) To seal msg in envelope: (com, key) := commit(msg) -- then publish com To open envelope: publish key, msg anyone can use verify() to check validity 13

Commitment API (com, key) := commit(msg) match := verify(com, key, msg) Security properties: Hiding: Given com, infeasible to find msg. Binding: Infeasible to find msg != msg’ such that verify(commit(msg), msg’) == true 14

Commitment API commit(msg) := ( H(key | msg), H(key) ) where key is a random 256-bit value verify(com, key, msg) := ( H(key | msg) == com ) Security properties: Hiding: Given H(key | msg), infeasible to find msg. Binding: Infeasible to find msg != msg’ such that H(key | msg) == H(key | msg’) 15

Hash property 3: Puzzle-friendly Puzzle-friendly: For every possible output value y, if k is chosen from a distribution with high min-entropy, then it is infeasible to find x such that H(k | x) = y. 16

Application: Search puzzle Given a “puzzle ID” id (from high min-entropy distrib.), and a target set Y: Try to find a “solution” x such that H(id | x) ∈ Y. Puzzle-friendly property implies that no solving strategy is much better than trying random values of x. 17

Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 18

hash pointer is: * pointer to where some info is stored, and * (cryptographic) hash of the info if we have a hash pointer, we can * ask to get the info back, and * verify that it hasn’t changed 19

(data) H( ) will draw hash pointers like this 20

key idea: build data structures with hash pointers 21

linked list with hash pointers = “block chain” data prev: H( ) data prev: H( ) data prev: H( ) H( ) use case: tamper-evident log 22

detecting tampering data prev: H( ) data prev: H( ) data prev: H( ) H( ) use case: tamper-evident log 23

binary tree with hash pointers = “Merkle tree” H( ) (data) 24

proving membership in a Merkle tree H( ) (data) show O(log n) items 25

Advantages of Merkle trees Tree holds many items but just need to remember the root hash Can verify membership in O(log n) time/space Variant: sorted Merkle tree can verify non-membership in O(log n) (show items before, after the missing one) 26

More generally... can use hash pointers in any pointer-based data structure that has no cycles 27

Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 28

What we want from signatures Only you can sign, but anyone can verify Signature is tied to a particular document can’t be cut-and-pasted to another doc 29

API for digital signatures (sk, pk) := generateKeys(keysize) sk: secret signing key pk: public verification key sig := sign(sk, message) isValid := verify(pk, message, sig) 30

Requirements for signatures “valid signatures verify” verify(pk, message, sign(sk, message)) == true “can’t forge signatures” adversary who: knows pk gets to see signatures on messages of his choice can’t produce a verifiable signature on another message 31

Note: Bitcoin uses ECDSA standard Elliptic Curve Digital Signature Algorithm relies on hairy math will skip the details here --- look it up if you care good randomness is essential foul this up in generateKeys() or sign() ? probably leaked your private key 32

Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 33

Useful trick: public key == an identity if you see sig such that verify(pk, msg, sig)==true, think of it as pk says, “[msg]”. to “speak for” pk, you must know matching secret key sk 34

How to make a new identity create a new, random key-pair (sk, pk) pk is the public “name” you can use [usually better to use Hash(pk)] sk lets you “speak for” the identity you control the identity, because only you know sk if pk “looks random”, nobody needs to know who you are 35

Decentralized identity management anybody can make a new identity at any time make as many as you want! no central point of coordination These identities are called “addresses” in Bitcoin. 36

Privacy Addresses not directly connected to real-world identity. But observer can link together an address’s activity over time, make inferences. 37

Overview Cryptographic Hash Functions Hash Pointers and Data Structures Digital Signatures Public Keys as Identities Simple Cryptocurrencies 38

GoofyCoin 39

Goofy can create new coins CreateCoin [uniqueCoinID] signed by sk Goofy New coins belong to me. 40

A coin’s owner can spend it. CreateCoin [uniqueCoinID] signed by sk Goofy Pay to pk Alice : H( ) signed by sk Goofy Alice owns it now. 41

The recipient can pass on the coin again. CreateCoin [uniqueCoinID] signed by sk Goofy Pay to pk Alice : H( ) signed by sk Goofy Pay to pk Bob : H( ) signed by sk Alice Bob owns it now. 42

CreateCoin [uniqueCoinID] signed by sk Goofy Pay to pk Alice : H( ) signed by sk Goofy Pay to pk Bob : H( ) signed by sk Alice Pay to pk Chuck : H( ) signed by sk Alice double-spending attack 43

double-spending attack one of the main design challenges in digital currencies 44

ScroogeCoin 45

trans prev: H( ) trans prev: H( ) trans prev: H( ) H( ) transID: 73 transID: 72transID: 71 Scrooge publishes a history of all transactions (a block chain, signed by Scrooge) optimization: put multiple transactions in the same block 46

transID: 73 type:CreateCoins CreateCoins transaction creates new coins coins created num valuerecipient 03.20x x x... coinID 73(0) coinID 73(1) coinID 73(2) Valid, because I said so. 47

transID: 73 type:PayCoins PayCoins transaction consumes (and destroys) some coins, and creates new coins of the same total value coins created num valuerecipient 03.20x x x... consumed coinIDs: 68(1), 42(0), 72(3) signatures Valid if: -- consumed coins valid, -- not already consumed, -- total value out = total value in, and -- signed by owners of all consumed coins 48

Immutable coins Coins can’t be transferred, subdivided, or combined. But: you can get the same effect by using transactions to subdivide: create new trans consume your coin pay out two new coins to yourself 49

Don’t worry, I’m honest. Crucial question: Can we descroogify the currency, and operate without any central, trusted party? 50